Error while destroying of multiple azuread_application_password - Directory_ObjectNotFound: Unable to read the company information from the directory.

[lukaszkucharski-tomtom]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.9.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/azuread v3.0.2
+ provider registry.terraform.io/hashicorp/azurerm v4.12.0

Affected Resource(s)

• azuread_application_password

Terraform Configuration Files

Example modules you can find here https://github.com/banan1988/issues/tree/main/terraform/azuread-remove-password-issue

Debug Output

All logs from apply, first destroy and second destroy you can find here https://github.com/banan1988/issues/tree/main/terraform/azuread-remove-password-issue

Expected Behavior

I expect to add multiple ServicePrincipals with Applications and ApplicationPasswords and then remove all of them without retry :)

Actual Behavior

Unfortunately after migration to the AzureAD in version 3.0.2 our terraform code fails. While using for_each inside azuread-remove-password-foreach the first try of destroy fails. Second try pass.
What is important, execution of single module azuread-remove-password works every single time.

Steps to Reproduce

Go to azuread-remove-password-foreach and execute:

terraform init

terraform apply -auto-approve

1st try - fails

terraform destroy -auto-approve

2nd try - pass

terraform destroy -auto-approve

Important Factoids

Running in a Azure - westeurope

[lukaszkucharski-tomtom]

In the meantime, I figured out the potential workaround!

In logs we can find that in most cases the destroy of azuread_application_password takes ~21-22ms:

module.azuread-remove-password["1"].azuread_application_password.application_password: Destruction complete after 22s
module.azuread-remove-password["2"].azuread_application_password.application_password: Destruction complete after 22s
module.azuread-remove-password["3"].azuread_application_password.application_password: Destruction complete after 21s
module.azuread-remove-password["4"].azuread_application_password.application_password: Destruction complete after 21s

I've made couple of tests and looks like that adding some "delay" while destroy can help here:

resource "random_integer" "priority" {
  min = 30
  max = 60
}

resource "time_sleep" "wait_x_seconds" {
  depends_on = [azuread_application_password.application_password]

  destroy_duration = "${random_integer.priority.result}s"
}

What is really important, the "delay" should be longer than 30 seconds! Lower values failed :(

Never less it's good to solve this problem directly in the provider!